Firewall Wizards mailing list archives
Re: traceroute
From: Bill_Royds () pch gc ca
Date: Mon, 25 Jun 2001 11:14:52 -0400
Traceroute doesn't just use one port but many so a simple port allowed rule won't work. There are 2 major flavours to traceroute. The Unix one uses a series of UDP packets with increasing port numbers to trace. You would need to allow these ports out, although you should only get Time Exceeded/Port Not Available ICMP messages in reply. The Windows one uses ICMP echo packets with unique ID's for tracing. This is more of a problem because you are lettting ICMP echo out and both ICMP echo reply and Time Exceeded back in. The ICMP echo reply packet is what is used by Trinoo/Stacheldracht to control its DDoS zombies, so it could problems for you. There are firlewalls (Symantec Raptor for one) that have ping / traceroute proxies. This is more secure. They detect and attempt to send ICMP echo on on interface, send the echo from other and report the result back to internal sender. This can also be controlled as to allowed source IP's and destination IP's so you can allow a limited set of machines to traceroute. "Wigg, Guy G" <GWigg () mail sbic co za> on 06/24/2001 08:33:13 To: "'Firewall-Wizards (E-mail)'" <firewall-wizards () nfr com>, "'CISSP Forum'" <cisspforum () yahoogroups com> cc: Subject: [fw-wiz] traceroute Hi All Just looking for a bit of advice please, our Internet Team wish to be able to do traceroutes from our webservers onto the internet as they believe that this will assist in resolving network problems that occur from time to time. Currently we don't allow any ICMP from the Internet into our network/DMZ. What would the risk be of allowing ICMP time exceeded packets into our network? ( I presume this is all we need, to allow trace routes from our webservers out onto the net?). I realise opening another port on the firewall increases the risk, but is this a manageable risk? thanks Guy _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- traceroute Wigg, Guy G (Jun 24)
- <Possible follow-ups>
- Re: traceroute Bill_Royds (Jun 25)